FortiClient no outgoing packets for IKE / ESP auth

Question

Hello,

in the proccess of troubleshooting my Entra SAML DialUp IPsec tunnel I noticed something weird. While SAML auth via TCP 9443 worked fine, the handover to the IKE negotiation didn't work.

There were no packets being received by FortiGate referring to IKE negotiation or ESP, only SAML via 9443. I was blaming my ISP first but running a local Wireshark on my WiFi interface revealed that there aren't even packets leaving my device for that peer IP referring to IPsec. To limit potential sources of errors, I replaced the SAML auth with a local firewall user and tried to log in.

However, that doesn't work as well. Now there are NONE outgoing packets to the gateway IP! Upon login, FortiClient freezes for a bit and then says "IPsec connection is down" - like without even trying.

I tested on 3 diferent devices now and I can't get it to work. My only assumption is that Wireshark doesn't capture the traffic to the gateway and that there's an iussue somewhere in the config. But at least there should be packets arriving at FortiGate's side for the login attempt.

Can someone help?

smxko · Accepted Answer

Hello, turns out FortiClient was just doing FortiClient things again and I had to rebuild the IPsec profile several times (with the same parameters). Now it's working.

Jean-Philippe_P · Answer

Hello smxko,    Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.    Thanks,

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded